To protect an ESXi host against unauthorized intrusion and misuse, VMware imposes constraints on several parameters, settings, and activities. You can loosen the constraints to meet your configuration needs. If you do, make sure that you are working in a trusted environment and take other security measures.

Built-In Security Features

Risks to the hosts are mitigated out of the box as follows:

  • ESXi Shell and SSH are disabled by default.

  • Only a limited number of firewall ports are open by default. You can explicitly open additional firewall ports that are associated with specific services.

  • ESXi runs only services that are essential to managing its functions. The distribution is limited to the features required to run ESXi.

  • By default, all ports that are not required for management access to the host are closed. Open ports if you need additional services.

  • By default, weak ciphers are disabled and communications from clients are secured by SSL. The exact algorithms used for securing the channel depend on the SSL handshake. Default certificates created on ESXi use PKCS#1 SHA-256 with RSA encryption as the signature algorithm.

  • A Tomcat Web service is used internally by ESXi to support access by Web clients. The service has been modified to run only functions that a Web client requires for administration and monitoring. As a result, ESXi is not vulnerable to the Tomcat security issues reported in broader use.

  • VMware monitors all security alerts that can affect ESXi security and issues a security patch if needed.

  • Insecure services such as FTP and Telnet are not installed, and the ports for these services are closed by default. Because more secure services such as SSH and SFTP are easily available, avoid using these insecure services and use their safer alternatives. For example, use Telnet with SSL to access virtual serial ports if SSH is unavailable and you must use Telnet.

    If you must use insecure services and have implemented sufficient protection for the host, you can explicitly open ports to support them.

  • Consider using UEFI Secure Boot for your ESXi system. See UEFI Secure Boot for ESXi Hosts.

Additional Security Measures

Consider the following recommendations when evaluating host security and administration.

Limit access

If you enable access to the Direct Console User Interface (DCUI) the ESXi Shell, or SSH, enforce strict access security policies.

The ESXi Shell has privileged access to certain parts of the host. Provide only trusted users with ESXi Shell login access.

Do not access managed hosts directly

Use the vSphere Web Client to administer ESXi hosts that are managed by a vCenter Server. Do not access managed hosts directly with the VMware Host Client, and do not change managed hosts from the DCUI.

If you manage hosts with a scripting interface or API, do not target the host directly. Instead, target the vCenter Server system that manages the host and specify the host name.

Use DCUI only for troubleshooting

Access the host from the DCUI or the ESXi Shell as the root user only for troubleshooting. Use one of the GUI clients, or one of the VMware CLIs or APIs to administer your ESXi hosts. If you use the ESXi Shell or SSH, limit the accounts that have access and set timeouts.

Use only VMware sources to upgrade ESXi components

The host runs several third-party packages to support management interfaces or tasks that you must perform. VMware only supports upgrades to these packages that come from a VMware source. If you use a download or patch from another source, you might compromise management interface security or functions. Check third-party vendor sites and the VMware knowledge base for security alerts.

Note:

Follow the VMware security advisories at http://www.vmware.com/security/.